PatchSiren cyber security CVE debrief
CVE-2026-45701 sulu CVE debrief
Sulu, an open-source PHP content management system built on Symfony, used a weak cryptographic hash algorithm for password reset token and API key generation in versions prior to 2.6.23 and 3.0.6. The weakness in the hashing mechanism could allow attackers to predict or reverse-engineer sensitive tokens and keys, potentially leading to unauthorized account access or API abuse. The issue is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and carries a CVSS 4.0 score of 6.9 (Medium severity). The vulnerability was disclosed on June 1, 2026, with patches released the same day in Sulu versions 2.6.23 and 3.0.6. No known exploitation in ransomware campaigns has been reported, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- sulu
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running Sulu CMS instances, particularly those exposing password reset functionality or API endpoints to untrusted networks. Development teams maintaining Sulu-based applications or custom integrations generating tokens or keys should verify their implementations. Security operations teams should monitor for suspicious authentication patterns.
Technical summary
The vulnerability exists in Sulu's generation of password reset tokens and API keys, which relied on a cryptographically weak hash algorithm. In affected versions prior to 2.6.23 and 3.0.6, this weakness could enable attackers to compute or guess valid tokens or keys, bypassing authentication controls. The attack requires no privileges or user interaction and is exploitable over the network. The fix in versions 2.6.23 and 3.0.6 replaces the weak algorithm with a cryptographically secure alternative.
Defensive priority
medium
Recommended defensive actions
- Upgrade Sulu to version 2.6.23 (for 2.x branches) or 3.0.6 (for 3.x branches) to obtain the cryptographic fix
- Review application logs for anomalous password reset activity or unexpected API key usage prior to patching
- Rotate all existing API keys and force password resets for user accounts after upgrading to eliminate any tokens generated with the weak algorithm
- Verify that custom token or key generation implementations in Sulu extensions or integrations do not replicate the weak hashing pattern
- Monitor for unauthorized access attempts or account takeovers following disclosure, as the network-accessible nature of this vulnerability increases exposure
Evidence notes
The CVE description confirms weak cryptographic hashing for password reset tokens and API keys. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N) indicates network-accessible attack vector with low complexity, no privileges required, and low impacts to confidentiality and integrity. CWE-327 is explicitly identified in the source metadata. Patch versions 2.6.23 and 3.0.6 are confirmed via GitHub release references.
Official resources
2026-06-01